The computer science chapter at my alma mater, KTH, arranges an advent calendar called “dJulkalendern”. It is a CTF-like puzzle with challenges (almost) every day until christmas and also a competition.
The puzzles are not really security focused like regular CTF but more broader IT related puzzles. The competiton was held in Swedish but I will still do this writeup in English since anyone might learn a thing or two from it. This means that I might translate clues and other texts freely into English. If you want to see everything verbatim, go to the challenge site. This year, there were a puzzle every weekday and I will go through and explain them all. To prevent this post from being too long, I will be pretty brief in my explanations. If you have any questions or solved something in a different way, please comment below.
Day -1: Ready?
We are given a description:
This window, Window -1, is a practice window of sorts. It does not count toward the final score. The solution is the 31st word of the second mail sent by Santa, as shown in the Lore Page. Good luck!
Doing this gives us the password
Day 1: Ho-ho-ho
We are given an encrypted message:
hoO-HOo-hoo hoO-Hoo-HoO hoO-HOo-hOo hoO-HoO-HoO hoO-Hoo-hoO hoO-HoO-HOo hoO-Hoo-HoO hoO-HoO-HOo hoO-HOo-Hoo
Every chunk has 3x3=9 characters, treating a lowercase character as a 0 and an uppercase character as a 1 and decoding it as ASCII we get the answer.
Running this gives us the answer
Day 2: Instructions unclear, coffee stuck in machine
We are given a couple of instruction steps including a large block of digits. Taking each digit and colouring it with a different colour reveals the password.
Running this gives the following image:
In the image you can just barely make out the word
Day 3: Ho Ho Ho-uston, we have a problem
The challenge gives you instructions how to connect to the MUD using netcat. Connecting to the server presents you with a classic text-based adventure game. The game involves walking around, picking up some items, using them in various places and eventually flipping the light switch which gives you the following message:
The main light in the room turns on, and you can hear the sound of machinery and electricity stuff turning on all over the basement. All the monitors in the room has turned on, and you see the word "parched" slowly scrolling across all of them. Feeling proud of your work, you go back up the now working elevator back to the office. _ _ | | | | ____ _____ ____ ____ | |__ _____ __| | | _ \ (____ | / ___)/ ___)| _ \ | ___ | / _ | | |_| |/ ___ || | ( (___ | | | || ____|( (_| | | __/ \_____||_| \____)|_| |_||_____) \____| |_|
And the password is
Day 6: Logging for answers
You are given a number of log files, all named
x,y.log and containing one character each. By taking the filename of the log as a coordinate and placing the contents of the file at that location in a grid we can render an image:
Running this code prints the following:
K T Z B P N U J J C W F N S T V GARDEN KQBUW A G BFFH B B C W H W Y LRWOM M V T Y B M Y R E R BC BCWWV J B T G K
And we can read the password
Day 7: Quests & ions
This challenge sends you to a quiz page very similar to Kahoot! For every question a request is made to the following URL:
http://djul-2021-kahootish.medusa.datasektionen.se/getStatus/containing a response like this:
By looking at the 1-indexed value in
currentA we know which is the correct answer to the question and we can just keep answering correct until we have accumulated 10 points and we get a popup saying “The word is:
Day 8: Sales, Sheets, Battlestar Galactica
We are given a zip file containing both a .csv and an .xlsx file as well as an info text saying the contents are the same and we can use whichever.
The csv contains one line of milk and cookie emojis. We can get rid of the commas and replace them with 0 and 1 without losing any information. We note that the data is 441 characters long which happens to be 21x21. Organising the data into a square reveals a QR code pattern. Replacing the 0 with “#” and 1 with “ “ makes it even more clear. We can create an image from this using Pillow and then decode it with the
This gives us the password
Day 9: To ponder, or not to ponder
We are given the numbers
38399, 12803, 33497, 22847, 12383. If we factor each number, sum the factors and decode the sums as ASCII characters we get the answer:
Running this gives the answer
Day 10: MUDdy business
This challenge is another MUD. When you connect to the server you are presented with a series of rooms. In each room, the goal is to visit every square of the room exactly once. This is called a “self-avoiding walk” and appears in many variations, including some of the 2D Zelda games. Once you have solved all the rooms you are greeted with the following message:
It seems like you got thorugh all of the security systems. You enter a large archive with rows upon rows of shelves filled with books and other old looking stuff. You start searching, looking around the files. You notice a small table upon which a singular book is laid out. Your interest is piqued, and you approach it. You pick it up and start reading on the backside. Among the contents, the word 'fastidious' sticks out to you. ____ __ ___ ____ ____ ____ ____ _____ __ __ ___ ( ___)/__\ / __)(_ _)(_ _)( _ \(_ _)( _ )( )( )/ __) )__)/(__)\ \__ \ )( _)(_ )(_) )_)(_ )(_)( )(__)( \__ \ (__)(__)(__)(___/ (__) (____)(____/(____)(_____)(______)(___/
So the password is
Day 13: Have a crack at cracking
This challenge provides you with a website with a login form. The hash of the password for the first user is
a01fe2d5aea3c1360eb5b8eb64b668af. Googling this hash shows that the password is
Logging in using this password gives a hint:
8u7 n07 45 4dm1n! 70 f1nd 7h3 4dm1n5 53c2375, y0u w111 h4v3 70 f1nd 7h3 4dm1n p455w02d. 1m v32y 5u23 7h47 y0u c4n n07 f1nd 17, 17 15 1n n0n3 0f y0u2 d1c710n42135. my h1n7 f02 y0u: 7h3 p455w02d 15 1n 7h3 71713 0f 7h3 8357 50n9 1n 7h3 w021d 4cc02d1n9 70 4dm1n! 87w, w2171n9 11k3 7h15 15 n02m41 f02 4dm1n
We disregard the claim about the word not being in the dictionary and prepare a mutation rule for the flavour of leetspeek they are using.
We then try to crack the password using the rockyou.txt password list applying the leetspeak rule we created:
Which gives us the passowrd
80h3m14n2h4p50dy (Bohemian Rhapsody). Logging in with it gives us the password
Day 14: Jumbled Endpoints
This challenge revolves around the Library of Babel which is also implemented as a website at: http://libraryofbabel.info
You are supposed to search for various texts and answer which book, shelf etc they can be found in. Eventually you will get the message
A DEAD END. YOU WERE DECEIVED. but this is fake and by looking at the html source code there will be some final steps in the CSS, etc which will eventually lead you to an image containing some purple text in the lower left corner:
The word is angler.
Which gives us the password
Day 15: Checking Loads
In this challenge we are given a video file with a santa dancing on top of some squares. The squares represent a board of Game of Life. By setting up the state from the video and simulating one step of Game of Life, the cells spell out the word
Day 16: Omega
The challenge consists of an ELF binary. Disassembling it reveals that there is a function called
christmas_present which is never called by the code. Looking closer at the instructions in the function they don’t really make sense but taking the first letter of some of them spell out the password
Day 17: Ho ld Your Horses
Here we get another MUD which we can connect to. We are presented with a huge grid but after taking 16 actions the MUD crashes and gives us a link to a logfile:
A known error occured: Array index in bounds Buffer not flowing, dam Expected integer received, received received integer NotUnimplementedException caught in .NET Insufficient social credit score received Float value sank Could not reach 'google.com', trying 'bing.chilling' Loop repeated code several times Conversion to Double only support Integer * 2 Could not add value '+' Undefined defined as Undefined, should not be defined Expected struct, got building 43 6f 75 6c 64 20 6e 6f 74 20 63 6f 6e 76 65 72 74 20 74 6f 20 68 65 78 Segmentation fault was excused Deleted file missing Math.random() did not return 0.13374200962499438 Math.random() did return 0.9579221445882034 expected unexpected received expected Additional info: Some Unexpected State was reached. Since this was unintended, and could inhibit the ability to complete the test and therefore not satisfy the project requirements, here is a link to the next part of the test: https://djul.datasektionen.se/public/restricted/17/tactics_exercise.pgn
The linked file is a PGN file which is a format for storing chess games. Viewing the game in a PGN viewer we can see that there are 56 moves which happens to be 7x8. By looking at each move and see if it moves to a black or white square and treating this as a 1 or 0 we can decode the moves as eight 7-bit numbers representing ASCII characters. We don’t know if a white square represents a 1 or 0 so we try both possibilities.
Running this gives the password
Day 20: The Polar Express, or T. Hanks for the Train
In this challenge we are given a LogiSim schematic with a lock. The lock takes five 7-bit values as input. By studying the schematic we can translate it into the following Z3 code and solve it.
Running this gives the output
ALIVE 1000001 1001100 1001001 1010110 1000101
So the password is
Day 21: Non-Solid Duck
In this challenge we are given a binary. By disassembling the code we can see that the program looks for two environment variables: USER and USER_ROLE. It checks that they are set to “admin” and “CYBERTOMTE” respectively. Running the program with these environment variables correctly set gives us the password
Day 22: Come Come Kitty Kitty, You’re So Pretty Pretty
In this challenge we are given the following “map”
Notice that the character are either lower or upper case. Treating each pair of characters as an X/Y coordinate pair- with coordinates ranging from A to K and lowercase as 0 and uppercase as 1 we can construct the following grid:
_|_|_|_|0|_|_|_|0|_|_|_ 0|_|_|0|1|1|0|1|0|0|1|_ _|1|_|1|_|_|1|_|_|_|_|_ _|_|0|1|_|0|_|0|_|_|0|_ _|_|_|0|1|1|_|_|0|1|_|_ _|_|_|1|0|1|_|_|1|0|_|_ _|_|0|1|_|1|_|0|_|_|0|_ _|0|_|0|_|0|1|_|_|_|_|1 _|0|1|1|0|0|0|0|1|_|_|_ _|_|_|_|0|1|_|_|_|_|_|_ _|_|_|1|_|0|_|_|_|_|_|_ _|_|_|_|_|_|_|_|_|_|_|_
Reading rom the grid we can find eight 8-bit sequences which can be read forwards or backwards.
This leaves us with the following possible letters: i, a, (F or b), a, (6 or l), i, m, (r or N). From these letters we can form the word
Day 23: Squaring Off
In the final real challenge we are provided with a website containing an empty four by four grid and numbers in the background. The numbers only contain the digits 0-7 and can therefore be interpreted as octal numbers:
77 167 155 164 163 160 160 162 150 162 164 165 157 157 75 145
Doing this and then decoding them as ASCII gives us the following grid:
?wmt sppr hrtu oo=e
If we read this column by column instead of row by row we get
?showprompt=true. Adding this to the URL shows an input box and a sound clip called
birthyearoftheartist.ogg. Using Shazam to identify the song reveals that it is Vanessa’s First Smiles by Richard Clayderman who was born in 1953. Entering this in the input show an image called
video.mp4.png which looks like it should be a video clip. Downloading the file and inspecting it with binwalk reveals that it is both a PNG image and a ZIP archive. Unzipping the image gives us a file called
last step.mp4 which is a slightly corrupted MP4 file. Using a hex editor such as 010Editor and another MP4 file as reference we can repair the file by fixing the names of a few parts of the file and playing the video with VLC. This gives us the password
Day 24: Tying Up Loose Ends
We are given the instructions:
The solution to this window is “Moses’ “ last name.
Moses Purist can be rearranged into
Sus Imposter which gives the final password
I managed to finish in 10th place this year and out of 12 people solving all challenges I was the only one who did it on my own. Thanks a lot to the organisers for another great edition of Djulkalendern. Looking forward to the next year.